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Preface 


The purpose of this report is to characterize the process of “Human-Rating” as employed by NASA for 
human spaceflight. 

An Agency-wide committee was formed in November 1992 to develop a Human-Rating Requirements 
Definition for Launch Vehicles based on conventional (historical) methods. The committee members 
were from NASA Headquarters, Marshall Space Right Center, Kennedy Space Center, Stennis Space 
Center, and Johnson Space Center (JSC). 

After considerable discussion and analysis, committee members concluded that human-rating is the 
process of satisfying the mutual constraints of cost, schedule, mission performance, and risk while 
addressing the requirements for human safety, human performance, and human health management and 
care. 
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1. Synopsis 

Historically, the methods of implementing human-rating vary as a function of program, across the systems 
and subsystems that are components of a program or project, and sometimes across mission phases within 
a program. Although details of specific implementations have varied, the top-level, fundamental process 
has remained constant. That invariant process is as follows: 

• The program establishes processes and procedures for human-rating early in the definition phases and 
constantly reviews these processes and procedures as the program matures. 

• Historically, the human-rating process can be collected into three fundamental components: human 
safety, human performance, and human health management and care . 1 

• The human-rating process evaluates and balances the components of human-rating with cost, 
schedule, risk, benefit, and performance. 

As used here, human-rating implementation refers to a specific approach to ensuring that the space 
system is human-rated. For example, capsule separation and jettison is an implementation approach that 
provides the required level of human safety during launch. However, an abort system carries risks of 
malfunction which can affect otherwise normal missions. Quad-redundancy and high reliability are other 
implementation approaches that can satisfy a required level of human safety. 

Similarly, as used here, the human-rating process is that set of procedures and methods that not only 
estimates and evaluates the combined components of human-rating along with cost, schedule, risk, 
benefit, and performance, but also maintains an active consistency of decisions. 

2. Historical Background on Human-Rating 

A review of NASA’s historical approach to human-rating a space system demonstrates that the process 
has been essentially invariant or constant. However, specific implementations vary as a function of the 
program benefit or return and of the program’s systems and subsystems, and across the mission phases. 

The historical process has been to examine the safety of human spaceflight from a total integrated system 
viewpoint. The following historical synopsis highlights variations of the specific implementation 
approaches to human safety. 

2.1 Historical Perspective of Human Safety 

2.1.1 Implementation Methods Vary as a Function of Program 

Mercury and Gemini. The launch vehicles employed on Mercury and Gemini were basically developed to 
be launched on the Redstone short-range ballistic missile and the Atlas and Titan intercontinental ballistic 
missiles. Atlas and Titan vehicles were flying operational systems which were basically simple systems with 
selected redundancy. The central focus of human-rating the integrated vehicles of Mercury/ Atlas and 
Gemini/Titan was to add redundancy and a launch escape system for the crew. 

Thus, the task for NASA and the prime contractors was to define the monitoring instrumentation for abort 
condition sensing and the warning systems to alert both crew and ground to initiate an abort. This approach 
necessitated a thorough review of all failure history, flight history, and corrective actions to determine lead 
times before failure and crew warning and resultant action response times to decide on manual versus 
automatic initiation. Additional redundancy was defined for certain time-critical hardware failures such as 
rate gyros to sense flight path deviations or vehicle engine failures. Redundant sensors were added to 
monitor tank pressures, propulsion system pumps and chamber pressure, hydraulic system actuation, and 
control. Selective hardware screening programs were instituted for critical hardware. 


1 The human rating process for the Mercury, Gemini, and Apollo Programs was centered on human safety. The 
Skylab and Shuttle Programs added to this an emphasis on human performance and health management. 
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In addition, a rigorous ground test and unmanned flight test program was designed to demonstrate the 
hardware margins and flight performance before actually placing a crew in the launch vehicle. There were 
17 flight tests prior to Alan Shepard’s flight. Critical design and safety reviews and programs such as 
manned flight awareness were instituted to ensure compliance with requirements and to increase awareness 
in all workers that the ultimate use of the vehicle they were building would be to carry humans. 

Apollo. For the Apollo Program, there were no existing boosters with the required performance. Therefore, 
the Saturn EB and V launch vehicles were designed for human flight from the beginning. The designers, 
beginning in the definition stages, addressed issues such as the classical engine and propulsion system 
failure modes, the necessary redundancy to be employed, the critical instrumentation sensing and abort 
warning system requirements, the TNT equivalent yield, fireball size and overpressure envelope that an 
escape system would have to clear; the warning times required for manual and automatic sensing, and 
implementation of the crew escape system. Again, the design criteria for structured design of tanks, lines, and 
components and the certification and acceptance testing was defined and implemented. 

The Apollo design for launch vehicles, abort sensing and implementation, and the launch escape system had 
additional redundancy and safety improvements as compared to the Mercury and Gemini launch vehicles. 
Note that redundancy is not in itself sufficiently more reliable but rather depends on the method(s) of 
implementation. Also, redundancy is not feasible for all subsystems. 

There was an extensive ground and unmanned flight test program to validate the design features and to 
certify the launch escape system since the launch vehicle was uniquely developed for the Apollo mission. 
Similarly, there were extensive design and safety reviews to ensure compliance with requirements. Of most 
importance to everyone involved in the program was an increased awareness of the high safety quality 
required to send people to the Moon and back. 

Space Shuttle. The Space Shuttle launch vehicle was highly integrated and employed a stage-and-a-third 
parallel-bum philosophy. In this configuration, the Orbiter vehicle and crew were much closer to the source 
of explosive yield of fire and overpressure than in the in-line series bum configurations used on the 
Mercury, Gemini, and Apollo launch systems. Thus, the considerations for crew safety were a tremendous 
challenge over previous programs. The most significant challenge was how to address the issue of aborts 
during first stage. To enable the possible consideration of crew escape, crew ejection, pod ejection, or 
Orbiter separation and fly-away, a method for thrust termination of the solid rocket boosters (SRBs) had to 
be developed. 

To separate from a vehicle thrusting in excess of 6.4 million pounds required the capability to shut down the 
solid boosters and main liquid engines. Shutting down the liquid engines was a proven technology, but 
extinguishing an SRB was not. Various concepts were examined for thrust termination on the SRBs. One 
concept was to pyrotechnically blow out the head end of the booster and neutralize thrust; another concept 
was to sever the nozzle to accomplish the same purpose. Either approach had three major concerns or 
significant design challenges. As a result, the decision was made that the additional safety risks and design 
complexities introduced by thrust termination were of greater concern than the presumed low failure rates of 
solid motors. For those areas considered “high” risk, more stringent design requirements were derived to 
build in greater reliability for the Space Shuttle boosters. Targeted areas were case structural design factors 
of safety, case insulation, and segment seals. 

In summary, crew safety design decisions vary as a function of program, with decisions made based on 
the integrated view of program requirements, physical constraints, system performance, and system cost 
and benefit. Mercury and Gemini Program managers accepted the reliability of the launcher and designed 
additional safety via capsule or crew ejection. Apollo Program managers employed the same crew 
ejection approach but designed in additional safety measures into the launcher. The Shuttle used a 
historical performance database to improve safety design and certified the vehicle to be human-rated with 
no first stage abort capability. 

2.12 Implementation Methods Vary by Mission Phase 

Apollo. Apollo redundancy and abort criteria depended on mission phase. During lunar descent, the crew 
had the option to abort the landing by separating the descent stage and returning to lunar orbit with the 
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ascent stage. Once on the lunar surface, however, the ascent vehicle had no abort capability and no 
engine-out capability. The cost to provide lunar ascent abort capability was judged to be prohibitive. 
Engineering and program judgment concluded that the benefit was worth the cost. Therefore, Program 
managers instead decided that an acceptable level of reliability could be achieved by using simple systems 
of proven reliability (such as a pressure-fed engine and hypergolic propellants) and by performing 
substantial ground tests to certify reliability. Conversely, the cis-lunar trajectory sacrificed performance to 
provide maximum abort capability (free return). 

Space Shuttle. The Space Shuttle has the capability for launch abort throughout all mission phases 
presuming nominal SRB thrust. There is no abort option for the loss of SRB function. Again, as discussed 
in the previous section, probabilistic risk assessments were made during the definition phase of the 
Program to target problem areas and increase design margins. Thus, to provide the required safety within 
physical and cost constraints, various implementation approaches have been used in different phases of 
the same Program. Again, the focus is not on implementation approach, such as crew ejection, but on a 
system-level integrated methodology that considers cost, schedule, performance, risk, and benefits. 


2 .13 Human Safety Approach Is Dictated by Risk versus Benefit of the Mission 

The historical approach has always been a carefully considered balance among cost, schedule, 
performance, and safety risk for the return benefit. No single implementation option or design approach 
can be recommended as the “safe” option or approach. Different implementations and approaches were 
used in different programs as well as in different phases of a program. In all cases, methodologies or 
processes, or both, were employed that considered all issues of cost, performance, schedule, and safety for 
the return value of the mission. Safety, which was always a primary consideration in all programs, was 
combined with oversight approaches to ensure safety through instituting a substantial verification, 
validation, and certification program. 

22 Historical Perspective of Human Performance 

Human performance has been a growing element of spaceflight since the first Mercury launch of a crew 
member into suborbital trajectory. As the complexity of the missions, and the spacecraft designed and 
developed to support those missions, has grown over the years, the participation of crew members in 
those missions has likewise had to increase to meet operational goals and objectives. If viewed as an 
integrated system, the launch vehicle, the flight module, the recovery system, and the human participants 
are inextricably linked in a common unit. The following addresses the necessity of including the human 
element in this equation. 

Numerous instances are available within the history of the space program where the presence of crew 
members has led directly to the recovery of a mission or saving of a spacecraft that might otherwise have 
been lost. Gemini 8 and Apollo 13 are well-publicized examples. As the space program evolves further, 
the role of human crew members will become more complex and interactive with the evolving technology 
used to develop spacecraft and ancillary equipment. To this end, the application of human engineering is 
essential during the development and acquisition of systems, equipment, software, procedures, and 
facilities to achieve effective integration of the human element into system performance. To fulfill this 
requirement, NASA-STD-3000, “Man-Systems Integration Standards,” has been developed to be used as 
a programmatically applicable document to human-rated systems. 

NASA-STD-3000 is designed to be tailored to any given program that uses a human crew in a flight 
vehicle. Currently, program-specific volumes have been developed for the Space Station Program 
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(Volume IV). These documents address the spaceflight specific factors within the human engineering 
discipline by systematically treating chapters on: 

• Anthropometry and biomechanics 

• Human performance capabilities 

• Natural and induced environments 

• Crew safety 

• Health management 

• Architecture 

• Workstations 

• Activity centers 

• Hardware and equipment 

• Maintainability 

• Facility management 

• Extravehicular activity 

Additionally, NASA Safety Standard NSS 1740 .XX, the “Human Engineering Handbook for Safety 
Assurance/’ is being revised to address the need for human engineering application to future programs 
and recognize that the human element early on in program development is an essential task. 

23 Historical Perspective of Human Health Management and Care 

The goals of space medicine are to sustain life and maintain productive human function throughout all 
phases of spaceflight. The discovery of space motion sickness, dramatic vascular fluid shifts, 
hematopoistic abnormalities, and postflight gravitational intolerance as distinct physiological entities and 
the demonstration of human survivability in a space environment occurred as a direct extension of these 
goals during Project Mercury. 

The Gemini Program further elucidated cardiovascular, hematological, and musculoskeletal changes 
associated with extended spaceflight. In addition, Gemini established our understanding of the 
physiological principles associated with extravehicular activity. The Apollo Program took mankind to the 
Moon. Apollo established the physiological foundation for Space Shuttle Orbiter (SSO) missions through 
its study of spaceflight durations comparable to those of the Orbiter. These missions also demonstrated 
that many in-flight medical conditions could be safely diagnosed and treated, thus confirming that 
interplanetary missions were feasible. 

The Skylab Program studied habitability and physiological adaptation problems associated with long- 
duration spaceflight. Significant countermeasures research including human-rating of the lower body 
negative pressure suit was first accomplished aboard Skylab. Manual correction of complex 
electromechanical faults by Skylab crews reaffirmed the need for a human presence aboard subsequent 
spaceflights. To accomplish this, the need for continued biomedical research was established. 

Skylab and the SSO have provided us with a plethora of biomedical data and spin-off technology. These 
data are currently reflected in the SSO Aeromedical Flight Rules and the Medical Operations 
Requirements Document (MORD). Critical issues contained in the MORD concerning preflight and 
postflight training, safety, countermeasures, emergency medical services, rescue operations, and medical 
evacuation have contributed directly to continued crew health and mission success. 

Flight aboard the International Space Station will herald a new era in biomedical research. Space 
medicine experiments on this platform will allow for exhaustive studies of physiological and 
psychological changes associated with ultralong-duration spaceflight and the development of effective 
countermeasures. The data from these studies will allow for the human-rating of interplanetary missions 
of the future. 


4 



3. The Human-Rating Process Is Defined 


3.1 Research and Findings 

The conventional historical human-rating 
implementation approaches defined in Table 1 
were extracted from applicable NASA 
Management Instructions (NMIs), NASA 
reports, and alternative approaches used by 
other industries. In these, it was concluded that 
there were no “standard” implementation 
methods for human-rating from the standpoint 
of factors of safety, levels of redundancy, etc. 
These types of methods were found to be 
mission-dependent and always varied between 
and within programs with no commonality in 
application. The research and development 
efforts, however, did yield two common 
denominators. 


Table 1. 

Human-Rating Implementation Approaches 

• Design Factors of safety 

• Reliability 

• Failure Tolerance 

• System Health Monitoring 

• Emergency Detection 

• Crew Escape 

• Test and Verification 

• Effects of Human Interaction W/System 

• Effects of Environment Caused by Human Presence 

These items were not "methods” of human-rating , but were 
specific , and variable , “ implementations ” that were determined 
to be appropriate, for each specific application , through a 
management process that evaluated risk, cost , schedule , and 
performance. 


The first common denominator was that the items listed in Table 1 were not fundamental “ truths ” that 
were applicable in every case, but instead were solutions to a more complex question. The actual human- 
rating “ implementations ” used were collections of analytical and management processes that always 
evaluated risk, cost, schedule, and performance in some integrated procedure that varied between 
programs, within programs, and within mission phases of a program. The graphic in Figure 1 is an 
attempt to illustrate these points. 

The second common denominator was that human-rating consists of more than crew safety. Human-rating 
has three unique (as compared to unmanned vehicles) sets of requirements that are the primary drivers of 
system designs: human safety, human performance, and human health management and care. 

Repositories for these three sets of requirements are identified in Figure 2, 

The relationship between human-rating a vehicle or habitat for safety and the requirements for human 
performance and health management and care is not always clear. One relationship is through the mass 
assumed for a crew carrier. There are constraints on volume, crew equipment, and support equipment 
required to ensure a healthy, high-performing crew. Another constraint is that the launch vehicle dynamic 
parameters must be within crew health and performance boundaries. Finally, there is a relationship 
through the crew interface with the system. For example, is the mass that the launcher delivers to orbit 
sufficient to provide the minimum requirements for human health and performance? Are the steady-state 
and dynamic acceleration loads within human performance requirements? Are the off-nominal 
performance characteristics of the system within human limits for emergency response? 

These findings led to the following characterization of human-rating: 

Human-rating is the process of satisfying the mutual constraints of cost, schedule, 
performance, risk, and benefit while addressing the requirements for human safety, 
human performance, and human health management and care. 

3 2 Supporting Definitions 

A structured human-rating process is always established for all applicable NASA programs and is 
executed for the complete life cycle of the program. Approval of the human-rating process is normally 
accomplished as an integral part of the program process defined in NMI 7120.4 and in NASA Handbook 
(NHB) 7120.5. This human-rating process has evolved to consider the requirements for human safety, 
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Figure 1. The human-rating process is an integral part of a complex decision. Selecting the 
appropriate option for human-rating a space system is not as simple as mandating crew escape or quad- 
redundancy. While in many cases these have been the correct implementation options, sometimes cost, 
schedule, and performance drive the program to make alternative decisions to achieve the same level of 
human-rating. 


human performance (nominal and degraded states of operation, and human health management and care. 
The process provides a continuous tracking method for recording system performance against three 
human-rating elements. 

Human safety is the measurement of risk of injury to, or loss of life of, any of the spaceflight personnel. 
Injury includes injury as a direct result of the space mission as well as long-term effects owing to 
exposure to the total mission environment. 

A safety program conforming to the constraints specified in NASA NHB 1700.1 (V-1B), “NASA Basic 
Safety Manual” is developed and tailored to the needs of the human-rated space system. The human 
safety program normally implements a process for risk identification, risk reduction, risk control, risk 
visibility, and program manager’s risk acceptance. The process may use qualitative or quantitative 
methods, or both, to assess the risk to human safety. Generally, qualitative methods have been used. 
Sometimes quantitative methods, such as relative probabilistic risk assessment, have been used to resolve 
critical trade issues in which alternative choices impact system safety. 
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Figure 2. Repository of the historical basis for human-rating. NASA has recorded its experiences in 
human-rating in a collection of documents and management instructions. This repository contains policies 
to establish the human-rating processes as well as to recommend implementation approaches. 


Human performance is the physical and mental action required of a crew to accomplish mission goals. 
This includes the interaction of crew members with equipment, computers, procedures, training material, 
the environment, and other humans. Human performance issues are considered in all phases of a program, 
including both nominal and program-defined contingency operations. Nominal operation provides an 
environment that ensures a highly efficient, productive, and healthy crew who are capable of safely 
executing all mission objectives. Elements affecting the body and mind are designed to be compatible 
with the human capabilities and limitations to ensure that mission goals are achieved. Measurement of 
human performance against established criteria is accomplished to allow mission goals to be designed and 
modified as required to ensure their successful completion. 
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Human health management and care is that set of activities, procedures, and systems that provide 
environmental monitoring and crew health assessment, health maintenance and countermeasures, and 
medical intervention to diagnose and treat injury and illness. Human health management and care issues 
are considered in all phases of the program. The human-rating process ensures that systems, procedures, 
training, and protocols appropriately address issues of environmental monitoring and individual health 
assessment, health maintenance and countermeasures, and medical diagnosis and treatment of injury and 
sickness. These issues are assessed and measured against appropriate mission risks for each NASA space 
system. 


4. Conclusions and Recommendations 

The committee concluded that there were no “standard” implementation methods for human-rating from 
the standpoint of factors of safety, levels of redundancy, etc. These types of methods were found to be 
mission-dependent and always varied between and within programs with no commonality in application. 

The historical human-rating methods used for space vehicles were collections of analytical and 
management processes that always evaluated risk, benefit, cost, schedule, and performance in some 
integrated procedure. The actual top-level requirements for human-rating have remained relatively 
constant over time. Those requirements are always evaluated as part of an integrated assessment that 
includes performance, cost, and schedule. This approach has successfully been employed to allow 
creativity and innovation to direct the program toward a system that is safe, effective, and viable. 

The committee recommends that the definition of human-rating be the following: 

A process that satisfies the constraints of cost, schedule, performance, risk, and benefit 
while addressing the three requirements of human safety, human performance, and 
human health management and care. 


5. References 
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• MSFC-HDBK-505A, “Structural Strength Program Requirements” 

• JSC 2321 1 , “Proposed Standards for Human-rating Space Systems” 
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